Tomcat worm puts servers under attackers remote control

Java.Tomdep reportedly turning victims into IRC-instructed zombies, but has yet to reveal its sinister agenda.

Researchers from Symantec
have
identified a worm that places infected Tomcat servers under the
complete control of third-party attackers.

First discovered by the Norton Antivirus company on October 30
and subsequently christened
Java.Tomdep, the worm affects Tomcat on practically every
operating system (aside from Windows 8). It acts as a Java servlet,
inserting a file called ApacheLoader.war into the Tomcat
application folder.

According to researcher Takashi Katsuki, Tomdep poses no threat
to end users accessing a Tomcat-hosted website. Instead, it allows
the worm’s controllers total control over the infected server, with
commands being sent over an IRC connection.

Katsuki speculates that the worm’s creators may be attempting to
build an army of zombie servers for use in DDoS attacks. However,
this could change since the worm can be updated remotely.

Tomdep spreads by searching random IP addresses for other
instances of Tomcat, then entering weak username/password
combinations such as “root/root”, “tomcat/admin” and
“admin/password”.

If successful, it will replicate itself, connect to the remote
IRC servers and then seek out further targets. These remote
“command and control” servers have been tracked down to Taiwan and
Luxembourg – though the attackers could be based anywhere.

Symantec doesn’t believe Tomdep has become widespread yet – its
antivirus products have detected fewer than 50 cases so far. To
avoid infection, Katsuki recommends ensuring servers are fully
patched, using strong passwords and not opening the management port
to public access. And for those who believe their systems may be
infected, the antivirus company’s recommended course of action is –
of course – to do a full system scan using its software.